This is a simple way to help your code not to be stolen. This does not work with Game Maker 6. This only works with Game Maker 7 or later. Ok.

Download the Library Builder from here. http://gmc.yoyogames.com/index.php?showtopic=172
Open it up and make your own custom code editor. This can be done as easy as 1, 2, 3. If you need help with that feel free to PM about it. Once you have made one save it in Program file, Game Maker, Libs. Now when ever you use code use your custom code editor. Now anyone else without your lib cannot edit your code. This is very simple. People can not look at your objects code.

I hope you have fun looking at 'Unkown Action' all you decompilers.

-Teox_00.

Actually, that is pretty clever.

Also if your in a team project just give your team members your lib.

This method just slows down the person wanting your source, it doesn't protect it 100%.

It seems my previous post was deleted. Like I said this method will only stop users with no knowledge of GM7's format. But this method is still very easy to bypass.

Nice find!

However, I wouldn't want to confuse myself with libs and using it as a code editor.

Owned Jext!

That is true. It was a good try. Maybe the Lib Builder could be updated or something because Lib Builder could really help protection.

The lib builder won't help with protection at all. To help protection you have to prevent people from reversing an EXE back to source. Then and ONLY then will your work be protected.

A exe wrapper helps a bit. Maybe using a custom code editor and then using a exe wrapper? Or just the exe wrapper.

Neither, as said in other topics the wrapper doesn't protect your game as when the game is run the .exe is simply in its original state.

Protecting exe's against decompilers is hard.

I found an exe wrapper once, and it worked but the wrapped exe was considered a trojan by my anti virus.

Damn. Also novice users of Game Maker and the decompiler won't be able to crack it unless a way that Im not discussing. There is one way to stop the unkown action. So it will protect you from most people and also slow done the others.

I've discovered a perfect method to protect Games from the decompiler.

1. Create executable.
2. Open window containing the recently created game.
3. Right click on game.
4. Select Delete.
5. Right-click on Recycle Bin
6. Select Empty Recycle Bin
7. Defrag Hard Drive
8. Format Hard Drive
9. Remove Hard Drive from case
10. Take blow torch to hard drive.
11. Smash charred Hard Drive into little pieces.

This method seems to work with all versions of Game Maker.

I thought GM7 games were fireproof...?

@NakedPaulToast:
At step 4, it asks me if I'm sure I want to delete? Do I hit yes or no?


@Teox:
One small problem with this. If the user decides to open the already-decompiled game (that is, the GMK) in a program such as LateralGM, the code will be available to prying eyes again. This is because LateralGM actually treats "Undefined Actions" by pulling out as much information from them as it can, and allowing you to view/edit it, without needing the library. Granted, it's a lot easier if you actually have the library.

@NakedPaulToast:
After Smashing charred Hard Drive into little pieces, where do I put the peices?

@IsmAvatar:
Hit "yes"


On Topic:

This is a good way to stop noobs from decompiling it. The only people that want the source are the people that are too nooby to know how the file system works. If they were a pro programmer, then there wouldn't really be any good way of stopping them if they really wanted your code.

Hit yes.

@ NPT;
HAHAHAAHAHAHAHHAHAAHAHH

What happens when they get your code?

They get an unknown library thing.

I mean, what happens if you do not use this quick fix and they do end up getting your code?

They do whatever they want with it.

Do not leaving them lying around. If IsmAvatar finds them, in no time she'll have them reverse engineered, documented and published under the GNU-GPL licence.

My teammate and I have found a useful way of combating the decompiler for our MMO under development.

Upon a client connecting to the game server, the hashes of all the legit game files, including the exe, will be sent to the game client from the server. At which point those hashes will be checked against a hash of the client's own files. If any of these files differ, they will be downloaded from the website, and the game will restart.

After completing this check, and the files all match, an AutoIT script will run sending over it's hash of the game client as well as the IP to an AutoIT server(this works well because it doesn't actually obtain info dependent on the client .exe). The Autoit server will perform a check of the hashes and write the IP and either Allow or Deny to a text file.

The game server checks the text file on regular intervals, and will sort through the data, and allow or deny any IP in the file. If it gets allowed, the client will then be able to fully connect to the server.

The Autoit client and server are used to basically communicate info from client to server, yet allow the information to be secure through the use of an obfuscater. We would allow the Autoit client to communicate directly to the game server, but we were having problems with default packet encryptions built into the Autoit program, therefore we need to use an Autoit server as a medium.

EDIT: Forgot to note... This still allows your code to be viewable. But the second it's decompiled, it cannot connect to the game server.

Well im developing an open source mmo in C++. If you do it right, you can eliminate hacking even if your source code is stolen or if you make it open source.

No hacking whatsoever? Isn't that impossible?

Also isn't that besides the point in this topic? The topic's about protecting your source code (or attempting too ).

Obfuscation is the way ahead -a project for gmk obfuscation is ongoing.

It depends on the type of game. The only hacks that are impossible to stop are client side stuff like how things are drawn (such as giving players bright red skins in an FPS game) or auto aiming hacks (seeing as aiming is controlled client side). For games like mmo's, stuff like that will generally give the player no advantage. It's entirely possible to stop hacks such as speed hacks, wall hacks, stat hacks, etc because everything that can give the player an advantage, or effect other players should be server-side.

The reason i mentioned it is because people who make mmo's are very paranoid that others will decompile their game and modify the source code to cheat in the game. I just dont see any significant reason why people care that others can see their source code.

I like the thought of this idea, but it seems to me that many people put a large amount of effort to prevent people from stealing there codes, from an insecure game maker. I think that the people who need to steal these codes are usually noobs, this in turn means that when the release the game as there own, major problems may arise that they can't fix or others will know they just stole the code.

Good idea with the .lib tho

Ahh I see, I'm convinced now




Me neither! I stand with your first comment: "What happens when they get your code?"
I liked the impact of your statement also, just the one powerful question in your post. Didn't seem like many people got it though.

Heh if someone decompiled my game I would consider it an honour that they thought it was that good or that they really wanted to learn something from it (if they pm'ed me I would tell them anyway).

Thanks, JaketheSnake3636. That is a good idea, and I might use it in the future if I get your permission.

You have all the hashes stored on the server right?

[/thread]


Decompiling isn't necessarily used to learn from the game. It is also used to cheat, bugfix, and redistribute. The prior two would kind of strip you of your honour, and the third is an attempt to transfer the honour. The open source movement takes an interesting stance on these 3 and says "Go right ahead." That is to say, by open sourcing, you acknowledge that cheats, bugfixes, and redistribution are not problems, but empowerment of the user. To see how successful this is, look at Morrowind and Oblivion, as well as Command and Conquer: Tiberium Sun (and possibly other C&C games. That's the only one I'm familiar with). These games have opened the doors up to modifications to the games (albeit through Plugins), and are now incredibly popular and keep you playing because people keep adding new content plugins.

and there is one more i can add to IsmAvatar's 3, whic in fact is the most sinister.
If you have a name that is trusted and have several applications /games posted under your name, a black-hacker can decompile your file, build in some virus or, seen more often, a trojan. Phishing the users eBank info (users that trust YOU). Then Abusing the accounts, zombifing the infected pc and use it for illeagal actions. In the end, ALL the flack will hit YOU. The horrors came from YOUR proggie, and you will never be able to repair your net-reputation.
The fact is that yyg need to tackle the security isues regiouosly.
Gm needs
*version-hash calculation
*inbuild obfuscation (better than some ciphic encryptation because a versatile obfucation is seriously hard to crack)
Gm has grown. With size the responsibillity grows. I said abowe that in the end the flack hits YOU, the final flack hits yyg!
This will come, they have to. But then we all have to pay -I predict that we have seen the last release with licence update.
Yyg/MO is in a crossroad. Security, mac, rebuilding to ccp and version-descissions. The competition is not a sleep. ..nough said...

It's fairly easy to do malicious things without having to decompile the game. There are plenty of tools that let you bind viruses and trojans to programs.

Thanks for all your comments. I was away for roughly 24 hours and came back to find this topic on the front page. This prevents most people from stealing your code. Not all people with decompilers check how to use it and what it does and how to uncode stuff. So we should be fine.

This idea has been brought up several times and been shot down each time, rightfully so. You can't depend on the client sending valid data. If we could, the whole issue would be non-existent. The fact of the matter is though that the client can spoof a valid hash. They can easily get the correct value by intercepting the original game's hash and then using that value in a modified version. Trying to check if the client's game has been tampered with is not the way to prevent cheaters.

It's already been pointed out that a well written online game can prevent a lot of hacking, especially if it's not an action game where the client has to be given a certain amount of freedom.

As far as "what happens when they get your code", in most cases it really doesn't matter. But surely you of all people, 39ster, know what havoc a certain program has brought upon many GM online games. The ability for just anyone to go in and change code has made many games unplayable, completely ruining what the developer has worked so long on. Yes, they should have seen this coming and written things a little more carefully, but there's some things that just can't be prevented (especially in non-RPG genres, where there's not always time to do a server-side check before reacting). Not to mention, many of these GM action online games use servers run by the user, in which case there's no security net that's still within the developers control. At least slowing them down from getting the code will help prevent many GM online games from constantly being ruined.

Edit: And as far as this solution, it simply wont work, not for long anyway. It may stop people who don't have a clue, but after a while someone more experienced will crack your security wide open. Once it's open, it's just a matter of the hacker blabbing to all the people who don't have a clue how to get in, and just like that everyone has access again. I'm not saying you shouldn't try, I'm just saying it shouldn't be your only line of defense. Right now, the best defense is probably obfuscation and correctly writing online games.

AUTO.IT encrypts its packets, a decompile person can't decompile an auto.it program or figure out the encryption used to send the hashes, seems feasable to me.

Using Extensions to send data is also another great method since extensions aren't decompiled which he is using and the packet could easily be encrypted as well and randomly generated to throw the hacker off track.

His ideas seem and ARE good. You need to use methods like this AND make things server-side. The more security the better.

Cheat - as long as its not online whats the problem? The whole point in a game is to have fun playing it. If that means the players wants/needs to cheat then go ahead! Most games have cheats in them anyway.

Bugfix - Now whats wrong with that?

Redistribute - to me this would still be an honour to an extent, sure I'd be ticked off, but if they managed to somehow persaude people to like my game somehow better than I could, then hell, my game has still met its purpose - to give people enjoyment. If I can see that people are enjoying my game then I'll be content. The only thing that really sticks out to me as bad in this case is that it wouldn't go towards my reputation. Reputation can do amazing things, 2Dcube's latest game got more downloads than my game will probably ever get in a single day.



Are we still talking about game maker?

I'm sorry but this is nonsense. AutoIT comes with a compiler AND decompiler, try looking in your "Extras" folder. I've also read that even if you add a password when compiling, it can still be decompiled by other means. Oh, and yes there is a decompiler for the newest version too.

To protect your games, just use the instant player without the download link...

Your file is protected on yoyogames

But the download link is not removable, every game has it available. So one thing that could help protecting the games, is for the YoYo Games staff to remove the option to download the package not using Instant Play. Am I right?

@NPT: It asks me I need to restart my PC to do the format. Do I have to do so?
Seriously though, there's no bulletproof method to hide your code. What ever compiler, interpreter or whatever it is, the code can be read. Why? Because if the computer understands that code then obviously those that created the computer will (of course even those that know how the computer works...).
The best way to "protect" is through obfuscation (@Schreib).

Information is downloaded to your computer in order for it to be played. First, the runner data (that's the plugin that you downloaded in the first place), and then the game data, which is stored in [a common location on your computer, which I have chosen not to disclose for some odd reason]. Whilst the information there cannot be run through the decompiler (yet), it's there... probably won't be long now.

Couldn't you mess with the source to send the correct md5's without even checking the files its using? Normally I doubt anyone would go to that much trouble but when it comes to MMO's you never know.

Edit: dang somehow missed that someone had said this

Technically this would work... Assuming that you never uploaded your game's file to the internet, and that the hard ware (in real life) is completely destroyed .

Now, no one can access our games!

Yeah, I pointed that out in post #37 (second page), and Chronic confirmed it.

If there's one thing I've learned, it's to never underestimate the devotion of hackers. Really, if the game is popular, someone is going to spend the time to do that. Besides, spoofing the hash check wouldn't be too hard if you have access to the full source. It would just be a matter or redirecting a few lines of code.

Maybe I forgot to mention this, but the client doesn't actually send any of the hashes over. We use the Autoit client (which is obfuscated) to retrieve the hashes of all the files. So unless the person can decrypt/decompile the Autoit client, then the system works rather well. Thats the reasons it works so well, which is because the client isn't entrusted with any crucial information when deciding if the connection is legit.

EDIT: I checked my post over, and I did indeed word everything right. I understand that it may be hard to catch everything that I stated, but I just wanted you to know that someone can't simply modify the source to send over false md5 hashes because the .gmk isn't entrusted to that.

If you read my post more clearly, you'd know that we're using an obfuscater to protect the Autoit client... Am I missing something?